Re: SSL-Tunnel blocked?

The log type shows Web Proxy,...which is more limited in capabilities than
the Firewall [winsock] Service.

The status says it was aborted because of a "thread exit or an application
request".

My guess is that something is being attempted that the Web Proxy Service
cannot perform.

My suggestion is to install the Firewall Client on the Workstation. If it
still fails try it again with the proxy settings disabled in the browser
(forcing it to use the Firewall Service).

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------


<davidh@xxxxxxxxxxxxxxxx> wrote in message
news:86c0d1ef-da47-42b4-a0d7-4440d008c04a@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Within the Microsoft Office products, there are occasions when content
from the internet needs to be accessed. For example, to get clip art,
design templates, or help. When we try to pull design templates from
the net into Powerpoint, ISA blocks the request, the output is shown
below. I am guessing that since ISA cannot look at the traffic inside
the SSL tunnel, it errors on the safe side and blocks this traffic. Is
there any way to allow this on my ISA 2006 server?

The other thing that is a bit confusing is my web access rule allows
HTTP, HTTPs, and FTP. What is the difference between allowing HTTPs
traffic and denying SSL-Tunnel?

One more piece of possibly relevant information, we are running in one
nic mode and just using ISA for web proxy. This will be changed in
about a month as we put ISA inline and use all of its capabilities.

Failed Connection Attempt
WINISA01 2/12/2008 1:22:28 PM
Log type: Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a
thread exit or an application request.
Rule: WebTraffic Out
Source: Internal (10.121.90.14)
Destination: External (131.107.115.40:443)
Request: mpa.one.microsoft.com:443
Filter information: Req ID: 0c762fb6; Compression: client=No,
server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: VCS\HendersonD


.

Relevant Pages

  • Re: Excluding internal IPs from being proxied
    ... This log entry says that since I do not have firewall policy that allows web ... the request is denied. ... *correctly* treats the request as being destined to the internal network, ... The point is the request should *never* be processed by web proxy ...
    (microsoft.public.isa)
  • RE: Force use of ISA Firewall Client
    ... Is any functionality lost if I force use of the Client Firewall? ... You see three types of ISA 2004 firewall clients in ISA console, ... the system will use Web Proxy ...
    (microsoft.public.windows.server.sbs)
  • RE: Force use of ISA Firewall Client
    ... the Firewall client automatically sends user credentials ... or the user account must be mirrored on the ISA 2004 firewall. ... Firewall Client will result in usernames being included in the ISA logs, ... But if you visit Websites or FTP, the web proxy has improved performance. ...
    (microsoft.public.windows.server.sbs)
  • RE: Force use of ISA Firewall Client
    ... the Firewall client automatically sends user credentials ... or the user account must be mirrored on the ISA 2004 firewall. ... But if you visit Websites or FTP, the web proxy has improved performance. ...
    (microsoft.public.windows.server.sbs)
  • Re: recommendation for internet usage tracking
    ... I've been pushing ISA appliances for some time now, where they fit the business need. ... On an executable level though, for a device or program to decide which executable is making the request, it must run an agent on the requesting machine that reports back. ... I've made this same argument about software firewalls that do 'outgoing' security as well. ... A firewall, whether at the network edge, or the PC's network-stack edge, should only be trusted to scan *inbound* security. ...
    (microsoft.public.windows.server.sbs)